Users are unable to login using the offline Device Access Code. Users receive the following error while trying to login using the offline Device access code for Desktop MFA:
Periodically your organization's security policy requires a different method to verify your identity. You must verify another way.
- Okta Device Access
- Desktop MFA for macOS
- Okta Identity Engine (OIE)
- macOS devices
The LoginPeriodWithOfflineFactor setting defines the duration (in hours) that users can sign in to a device using offline Multi-Factor Authentication (MFA) methods. If a user attempts to sign in offline after this period has expired, access will be denied. They will then be required to connect to the internet and authenticate using an online sign-in method. If not specified in the configuration profile, the default value for this setting is 168 hours.
Admins can collect logs from the below path to verify if the user has exceeded offline login limit /var/log/com.okta.deviceaccess/OktaDeviceAccess.log.
Please find below the log snippet when the offline login grace period is over for device:
—---------------------------------------------------------------------------
2025/05/26 02:15:41:804 -0700 {✅ "Factor-Management": {"message": "Offline factor grace period in effect? false; expiry date: 2025-05-26 08:10:13 +0000; now: 2025-05-26 09:15:41 +0000", "defaultProperties": "", "location": "FactorRequirementsManager.swift:offlineFactorInEffect(zeroFactorOver:):249"}}
When configuring Desktop MFA policies, review the LoginPeriodWithOfflineFactor setting located in the com.okta.deviceaccess.servicedaemon.plist file.
When choosing a value, consider scenarios such as:
-
Users needing to log in while traveling (potentially without internet).
-
Situations where users must log in to the device before they can access the internet.
-
Online logins occur only after a device reboots or the user completely logs off.
-
Setting LoginPeriodWithOfflineFactor to 0 (zero) prevents users from logging in with any offline factors.
